The Metasploit Framework is a open source
penetration tool used for developing and executing exploit code against
a remote target machine it, Metasploit frame work has the world's
largest database of public, tested exploits. In simple words, Metasploit
can be used to test the Vulnerability of computer systems in order to
protect them and on the other hand it can also be used to break into
remote systems.

What is the MS10-018 Exploit?

Use-after-free vulnerability in the Peer
Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1,
and 7 allows remote attackers to execute arbitrary code via vectors
involving access to an invalid pointer after the deletion of an object, as
exploited in the wild in March 2010, aka "Uninitialized Memory Corruption
Vulnerability."

The persistent XSS vulnerability is a more
devastating variant because the injection is actually permanently stored
in the blog, message board, etc.

Imagine if a sensitive website had a poor
designer did not test for injections. A malicious person could
simply put in a hidden cookie harvester script and sit back and watch
there logs for SESSION cookies.

Note:
Firebug integrates with Firefox to put a wealth of web development
tools at your fingertips while you browse. You can edit, debug, and
monitor CSS, HTML, and JavaScript live in any web page.

Lab
Notes

In this lab we will do the following:

Due to a purposeful bug in
the add-to-your-blog.php code, we will use a Persistent Cross Site Scripting
Techniques to insert a Metasploit weblink that attacks IE6, IE7 on
Windows NT, 2000, XP, 2003 or Vista.

In the blog, we will insert the
Metasploit link as a
persistent XSS injection.

We will demonstrate this XSS Injection,
when a Windows XP-SP2 machine (running Internet Explorer 6) views
the blog with the XSS injection.

We will turn on Key Stroke Recorder.

We will view the Key Stroke Recorder
results.

Legal Disclaimer

As a condition of your use of this Web
site, you warrant to computersecuritystudent.com that you will not use
this Web site for any purpose that is unlawful or
that is prohibited by these terms, conditions, and notices.

In accordance with UCC § 2-316, this
product is provided with "no warranties, either express or implied." The
information contained is provided "as-is", with "no guarantee of
merchantability."

In addition, this is a teaching website
that does not condone malicious behavior of
any kind.

You are on notice, that continuing
and/or using this lab outside your "own" test environment
is considered
malicious and is against the law.

This is the machine that will be use to
attack the victim machine (Mutillidae).

Section 7: Login to
Damn Vulnerable WXP-SP2 (Victim Machine)

Start VMware Player

Instructions

For Windows 7

Click Start Button

Search for "vmware player"

Click VMware Player

For Windows XP

Starts --> Programs --> VMware
Player

Edit Virtual Machine Settings

Instructions:

Click on Damn Vulnerable WXP-SP2

Edit Virtual Machine Settings

Note(FYI):

This third Virtual Machine does not
have to be Windows XP. I just need to be another Virtual
Machine to demonstrate how the cookie will be sent covertly with the
victim knowing.

Set Network Adapter

Instructions:

Click on Network Adapter

Click on the radio button "Bridged:
Connected directly to the physical network".

Start Up Damn Vulnerable WXP-SP2.

Instructions:

Start Up your VMware Player

Play virtual machine

Logging into Damn Vulnerable WXP-SP2.

Instructions:

Username: administrator

Password: <Provide the Password>

Open a Command Prompt

Instructions:

Start --> All Programs --> Accessories
--> Command Prompt

Obtain the IP Address

Instructions:

In the Command Prompt type "ipconfig"

Note(FYI):

In my case, Damn Vulnerable WXP-SP2's
IP Address 192.168.1.107.

This is the IP Address of the
Victim Machine.

Record your IP Address.

Section 8: Start
msfconsole

Start msfconsole (On
BackTrack5R1)

Instructions:

msfconsole

Note(FYI):

The msfconsole is the Metasploit
Framework Console.

Search for MS10-018

Instructions:

search ms10_018

use
exploit/windows/browser/ms10_018_ie_behaviors

Note(FYI):

This module exploits a use-after-free
vulnerability within the DHTML behaviors functionality of Microsoft
Internet Explorer versions 6 and 7. This bug was discovered being
used in-the-wild and was previously known as the "iepeers"
vulnerability. The name comes from Microsoft's suggested workaround
to block access to the iepeers.dll file.